In a U.S. election year, talk of democracy is expected. But at this year’s RSA Conference a Cisco Systems official took it another level by arguing it’s time to democratize information security.
Also at the official opening Tuesday of the week-long conference in San Francisco a McAfee official urged infosec pros to put more resources into combating the threat of quantum computing.
Wendy Nather, who heads Cisco’s CISO advisory service, made the plea to democratize security in a keynote, citing the repeated failure of infosec pros to get users to change their habits.
“We are trying to secure with an unsustainable security model,” she said, the model that IT is the master of all security rules. “It’s time to break it and put it back together. We should start by changing our model form one of control to one of collaboration, we should simplify security controls and open our security culture to everyone.”
As an example of failure, she noted a lawyer for a U.S. state agency she once worked for asked for the implementation of an email filter to prevent staff from including social security numbers in outgoing mail. Not long afterward the filter caught the lawyer trying to email personnel evaluations to his home address that included — yup — social security numbers.
As for current awareness programs for trying to stop users from clicking on possible malicious attachments, Nather suggested they’re almost useless. The fact is, she argued, computing involves clicking on things.
Meanwhile, she added, infosec pros ask staff to click to download an 18-page white paper on how not to click on things.
“Why are we yelling at users?” she asked. “Wouldn’t it be better if we secured things so that it wouldn’t matter if they clicked on things?”
Security awareness programs, she added, are “a losing proposition … We think if we train them louder and explain harder they will stop clicking on things.”
Infosec pros think they have a lot of control today over corporate environments, Nather said. But with cloud computing, virtual machines and third-party APIs that’s not true.
She suggested letting users make more security-related decisions. One CISO told Nather that when the business side asks him, “Is this safe to do?” And he replies “I don’t know, you tell me.”
“He is empowering them to make security decisions because they are better at weighing the business opportunity against the business risk,” said Nather. “We have to make room for that.”
But there’s still room for security products
The CISO can still keep an element of control by setting security requirements. Then staff can be told to access corporate resources they have to figure out how to meet those rules.
Another way is to separate business rules from applications. That way rules can be changed without altering the application.
“I know it makes people nervous, especially security people, to think about the idea of giving away control,” said Nather. “But done right collaboration will allow business and security to be agile.”
Second, security has to be made simpler.
“Security should be what the user would rather do anyway,” she argued.
For example, Apple’s initial screen lock for the iPhone with pin numbers had poor adoption.. she indicated. But when it added fingerprint-reading TouchID on the Home button — where users regularly click –adoption soared.
Third, make cybersecurity part of the corporate and popular culture. That includes teaching children what security is and its consequences and removing parental controls. Let children learn to judge if something they want to do is safe.
Security controls, she said, should be designed to be identical across any technology.
In short, Nather said, cybersecurity shouldn’t be only in the hands of professionals, vendors and governments.
In his keynote, McAfee CTO Steve Grobman, complained infosec pros are not sharing threat intelligence, and not patching fast enough to fix known vulnerabilities.
He also urged the industry to put more resources into preparing for the threat of quantum computing to current cybersecurity and encrypted solutions. Quantum computing’s ability to break currently encrypted data may be years away, Grobman said, but we should assume nation-states are stealing and storing scrambled data now. Why? “They’re not worried about decrypting it today, they’re counting on quantum to do it in the future.”
So organizations have to start now looking at which protected data will be vulnerable if it is cracked years in the future — for example, social security numbers or national secrets. And the industry has to increase its efforts now for finding quantum-resistant encryption solutions. That’s a project the U.S. National Institute for Standards and Technology (NIST), and other countries including Canada, have been engaged in for some time.
Yet of 69 initially-proposed algorithms 12 were broken in three weeks. After three years the field has only been narrowed to 26 quantum-resistant algorithms.
In the short term organizations should move network traffic to the more secure TLS 1.3 protocol now, Grobman said, which is harder to crack.
In addition, he said, “let’s all commit to build post-quantum action plans that measure time and impact sensitivity [of data] so we’re ready to migrate systems as the post-quantum ecosystem is ratified”
Quantum and cloud computing offer great promise for solving problems, he said, but threat actors know this too.
“But let’s not hinder our future by remaining blind to the threats that target these platforms.”